Friday, October 31, 2008

How to avoid passwords expiring in PeopleSoft

One of the more often customer requirements regarding security is to implement password expiration. PeopleSoft provides this functionality using the Password Controls component under:

PeopleTools > Security > Password Configuration > Password Controls

This component provides the alternative to enable or disable password expiration controls for all users. Now, what happens if we want a certain user's password to never expire?

There are plenty of situations where we might want this to happen, for instance:

The password for the user set in the Process Scheduler or Application Server configuration should not expire or otherwise the system may not work.

Same happens with if a user is set as a Guest in a Web Profile.

Also, you may want to disable password expiration for PTWEBSERVER, the user set by default to let the Web Server recover Web Profiles from PeopleSoft environment.

Unfortunately, PeopleSoft does not provide the ability of disabling password expiration for a given user. Good news are that it is quite easy to do by setting the last password change date to a future date using the following SQL sentence:

Although this approach works, it implies a customization in a PeopleTools object such as the FUNCLIB record you referred to. This is normally something you would like to avoid, as it could be affected by any PeopleTools update (which due to Oracle Security Alerts are quite common).

Again, as I said, it's a valid approach so in the end it's a matter of choosing the option you like the best.

Thanks for the great info. It would work for specific users alright . But, what if I want the passwords of all the users working on a specific PeopleSoft environment to never expire even after it is refreshed.Because the navigation in PIA and selecting the "Never Expires" tab would be set to default once the environment is refreshed I guess. Is there a way to do that using a SQL query which can be added to the post refresh script?Looking forward to your inputs/idea.:)

And is there a way to just update the "Never Expires" tab from the back end as it should serve the purpose as well.Just checked the pplcode for the password control page.There is a lot of dependency. Some changes may have to be made at the people code level too.Nothing can be done at the SQL level alone without those changes I think.Is there a way to enable that radio button(Never Expires) without contradicting with the peoplecode?

The password encryption is not done at the database level, so I'm not sure you can do it through SQL. One possible way would be to create a Component Interface in PeopleSoft and call it from Java. Another alternative would be using a Web Service, but in both cases you would need to do some development in PeopleSoft.

There is no standard way of doing this as far as I'm aware, although I haven't had the opportunity to do some deep research.